Automatic Secure Escrowing of a Password for an Encrypted File or Partition Residing on an Attachable Storage Device that the Device can be Unlocked Without User Intervention

ABSTRACT

External data storage device queries the user for a password on at least the first attachment. The password is escrowed in encrypted form. If the user elects this option, the password is then passed to an encryption module which unlocks the encrypted file or partition and upon subsequent attachments of the external data storage device may automatically unlock the encrypted file or partition using the securely escrowed password. The escrow of the encrypted password is managed in an external storage device containing the encrypted file or partition.

CROSS-REFERENCE

The present application claims priority from provisional application No.61/414,679 filed Nov. 17, 2010, the disclosures of which are herebyincorporated by reference.

FIELD OF INVENTION

The invention relates to secure escrowing of encryption password andkeys.

BACKGROUND

Both home users of personal computers and corporate IT departmentsgenerally believe that important or sensitive data should be protectedby backing up that data and securing it from thief by encrypting it. Thereality is that very few people or organizations actually do either letalone both actions.

While backing up data requires the user or organizations to overtly dosomething such as manually launching a software program which mostpeople may do for some period of time but will then taper off andevidentially not be bothered. The same is true of encrypting data. Theaverage person will rarely encrypt or decrypt data files over the longterm because of the minimal effort required.

What is needed is some method that will remove even the minimal amountof effort on the part of the user or organization to encrypt and protecttheir data.

SUMMARY

The purpose of the invention is to make data encryption, for dataresiding on attachable or portable storage devices, transparent to theuser.

In one embodiment of the invention the user need only to attached aportable or external storage device to his PC and enter a password onetime when the attached data storage device is connected to the PC forthe first time. On subsequent attachments of the portable or externalstorage device to his PC the user need not enter a password. Thisembodiment of the invention only requires user intervention one time andnever again.

In another embodiment of the invention which is intended for thecorporate user, the Information Technology department pre-configures theportable or external storage device and “pushes” the encrypted orotherwise protected password from a secure environment down to theuser's personal computer after which the user need only attach theexternal or portable storage device to the computer and the protecteddata residing on the storage device will be automatically unlocked.

In another embodiment of the invention, the user will attach an externalor portable storage device to his PC then purchase a protected dataset,more commonly referred to as a vault, from a web site which willdownload the vault and place it on the external or portable storagedevice and will place an encrypted or otherwise protected password ontothe PC that will be used to unlock the encrypted vault when the externalor portable storage device is reattached to the PC. The user can thenhave access to protected data contained on the external or portablestorage device without having to enter a password every time the deviceis attached to his personal computer.

These and other embodiments will be explained in detail which will beclear to one skilled in the art by examining the following drawings anddetailed descriptions.

BRIEF DESCRIPTION OF THE FIGURES

FIG. 1 is a depiction of a personal computer with an attached storagedevice shown containing the software necessary for the invention to beimplemented.

FIG. 2 is a schematic of an attached storage device with the encryptedfile and software and a schematic of a personal computer connected to anetwork server where software programs and escrow files are stored.

FIG. 3 is a schematic of an attached storage device with the encryptedfile and software and a schematic of a personal computer connected to aweb server where software programs and escrow files are stored.

DICTIONARY

The following terms are used in the description and claims of theinvention.

-   1. Processor based computing devices    -   A processor based computing device is any device containing a        microprocessor, internal memory used for storage of executable        software programs and their associated data, operating system        and executable software computer code more typically called        software programs. These programs are separate from the        operating system software of the microprocessor and are        typically called application programs or simply software        programs.    -   A processor based computing device may be any but not limited to        the following such devices: desktop personal or workstation        computers, laptop personal computer, tablet computers, cell        phones, Personal Digital Assistants (PDAs), in vehicle computer        systems, aircraft based computer systems, industrial control        systems, consumer electronic systems such as televisions,        multimedia players, game consoles, etc.-   2. Escrow software program    -   An escrow software program is a software program that is loaded        from a data store such as found on but not limited to processor        based computing devices, external data storage devices and        network storage. This program contains the program code        necessary to form an encryption key used to encrypt a password        entered by the user and to save the password in a data store if        directed to do so by the user.-   3. Encryption software program or hardware module    -   An encryption software program or hardware module is used to        unlock and decrypt or encrypt and lock data contained inside an        encrypted file, folder or partition contained on an external        data storage device which may be a device such as a flash memory        drive attached to a processor passed computer device or, an        encrypted file, folder or partition contained on network        storage. The module may be based in a software code or may be        based in an encryption chip which itself may also contain a        microprocessor and software to perform the encryption and        decryption of files, folders or partitions.-   4. Encrypted files, folders or partitions located on an externally    attachable data storage device    -   Encrypted files, folders or partitions are data objects that        have been encrypted and reside on a data store other than one        contained on the processor based computing device. The        externally attachable data storage device may be, but not        limited to, a flash memory device, a rotating memory device, an        optical data storage device or a data storage device located on        a network or Internet domain connected to the processor based        computing device.-   5. Information Technology (IT) Department    -   An IT department provides businesses with sets of core services        to help execute the business strategy: business process        automation, providing information, connecting with customers,        and productivity tools. The present invention falls under the        core services of productivity tools.

DETAILED DESCRIPTION OF THE INVENTION

Now referencing FIG. 1 where 10 depicts a personal computer 13, anattached data storage device 11 and data bus 12. In this depictionattached data storage device 11 would most typically be a USB thumbdrive containing an encrypted file or partition 21, escrow softwareprogram 22, encryption software 28 or hardware encryption engine 33.

Encrypted file or partition 21, escrow software program 22, andencryption software 28 would have been placed on attached data storagedevice 11 as part of an operation or process which is not part of theinvention. Attached data storage device 11 may have hardware encryptionengine 33 in the form of an integrated circuit chip as part of theelectronics that make up attached data storage device 11. When attacheddata storage device 11 contains hardware encryption engine 33,encryption software 28 would normally not be placed on attached datastorage device 11.

The invention is intended to interact with encrypted objects such asencrypted file or partition 21, encryption software 28 or hardwareencryption engine 33 which are created by processes outside the scope ofthe invention.

Basic Embodiment

Now referencing FIG. 1, Encrypted file or partition 21, more typicallycalled an encrypted vault, may be encrypted by any encryption programsuch as True Crypt which is an open source software encryption programor by any other encryption program capable of encrypting a file and/orpartition. Encrypted file or partition 21 may also be a partition onattached data storage device 11. In such an embodiment, attached datastorage device 11 would have had some portion of its address spaceformatted such that it appears to a file system as a completely separatelogical storage device. In this embodiment the entire partition would beencrypted.

In one embodiment, escrow software program 22 residing on attachedstorage device 11 is launched when attached data storage device 11 isconnected to personal computer 13 through data bus 12. In thisembodiment personal computer operating system 24 monitors data bus 12and when a storage device is connected to personal computer 13 via databus 12, personal computer operating system 24 will scan attached storagedevice 11 and if an executable software program is present on attacheddata storage device 11 personal computer operating system 24 will launchescrow software program 22 by copying it into PC memory 25 and startingit executing. If personal computer operating system 24 does not have thecapability to auto launch escrow software program 22 then the user maylaunch escrow software program 22.

Once escrow software program 22 is launched, it will copy encryptionsoftware 28, if present, from attached storage device 11 and start itexecuting. Escrow software program 22 will then determine if attacheddata storage device 11 has previously been attached to personal computer13 by examining system storage 26 for escrow password file 27. At thispoint there are a number of possible actions as described in thefollowing:

-   1. If escrow software program 22 locates escrow password file 27 on    system storage 26, it will assemble a key made up of a plurality of    several unique and predetermined data objects of which some or all    will not be under the control of the user such as the serial number    of the microprocessor in personal computer 13, the ID of the user    who is currently logged onto personal computer 13, the ID or serial    number of attached storage device 11, and/or any other unique data    items that have been predetermined to constitute the key. These data    items will be hashed together and used for the key. Once the key is    prepared, escrow software program 22 will attempt to unlock escrow    password file 27 and retrieve the password which is then passed to    encryption software 28 for unlocking encrypted file or partition 21    on attached data storage device 11. If attached data storage device    11 has hardware encryption engine 33 present then encryption    software 28 will not be present on attached data storage device 11.    For this case, escrow software program 22 will pass the password    that had been contained in escrow password file 27 to hardware    encryption engine 33 by issuing a command to attached data storage    device 11 over data bus 12 where the command sent over data bus 12    will contain the password. In this embodiment, the user will never    see a prompt or query for a password and encrypted file or partition    21 will have been automatically unlocked without the user having to    enter a password.-   2. If escrow software program 22 cannot locate escrow password file    27 on system storage 26 it will query or prompt the user for the    password and if the user wants the password to be remembered on    personal computer 13. If the user enters the password but does not    want the password to be remembered (escrowed) escrow software    program 22 will pass the password to encryption software 28 or to    hardware encryption engine 33 depending on the configuration of    attached data storage device 11 for unlocking encrypted file or    partition 21. If the user indicates that he wants the password    remembered or escrowed, escrow software program 22 will create    escrow password file 27 by collecting a predetermined set of data    objects of which some or all will not be under the control of the    user such as the serial number of the microprocessor in personal    computer 13, the ID of the user who is currently logged onto    personal computer 13, the ID or serial number of attached storage    device 11, and/or any other unique data items that have been    predetermined to constitute the key. These data items will be hashed    together and used for the encryption key to encrypt the password    entered by the user and will save it as escrow password file 27 in    system storage 26. Once escrow password file 27 has been created,    escrow software program 22 will pass the password to encryption    software 28 or hardware encryption engine 33 depending on the    configuration of attached data storage device 11 after which    encryption software 28 or hardware encryption engine 33 will unlock    encrypted file or partition 21 located on attached data storage    device 11.

Network Embodiment

In another embodiment shown in FIG. 2, network server 30 is connected topersonal computer 13 via network 32. Network server 30 contains networksoftware 31. In this embodiment which is typical of the relationshipbetween a user's personal computer and a server under control of an ITdepartment, creation of the escrow password file 27 is created by the ITdepartment on network server 30. The IT department will pull thepredetermined set of data objects for constructing the password forescrow password file 27 from personal computer 13 over the network.These data objects, some or all of which may not be under the control ofthe user such as the serial number of the microprocessor in personalcomputer 13, the ID of the user who is currently logged onto personalcomputer 13, the ID or serial number of attached storage device 11,and/or any other unique data items that have been predetermined toconstitute the key from personal computer 13 via network 32. Networksoftware 31 will formulate the key for encrypting escrow password file27 using the pulled data objects and will generate a password which isthen encrypted using the formulated key. Network software 31 will thenpush escrow password file 27 down to personal computer 13 via network 32and will cause escrow password file 27 to be stored on system storage 26at a known location. The IT department will then create encrypted fileor partition 21 and will push it down and place it on attached datastorage device 11 along with escrow software program 22 and encryptionsoftware 28. Attached data storage device 11 will then be given to theuser who will attach attached data storage device 11 to personalcomputer 13 through data bus 12. At this point in the embodiment, escrowsoftware program 22 will be launched and it will copy and startexecuting encryption software 28 after which escrow software program 22will locate escrow password file 27, formulate the key to unlock escrowpassword file 27 and will retrieve the password which it will then bepassed to encryption software 28 or to hardware encryption engine 33depending on the configuration of attached data storage device 11 whichwill unlock the encrypted file or partition on attached data storagedevice 11.

In a variation on the network embodiment, network server 31 will pushdown and install software modules system monitor 29, encryption software28, and escrow software program 22 on personal computer 13. In thisvariation of the network embodiment, network server 31 negates the needto load escrow software program 22 and encryption software 28 ontoattached data storage device 11. This ensures that the user cannot evenattempt to unlock encrypted file or partition 21 on any computer notconnected to the network. In this embodiment of the invention, systemmonitor 29 continually monitors data bus 12 and when it detects thatattached data storage device 11 has been connected to personal computer13 through data bus 12 it will check to see if encrypted file orpartition 21 is present on attached data storage device 11. If systemmonitor 29 determines encrypted file or partition 21 is present onattached data storage device 11 it will retrieve the password fromescrow password file 27 residing on network server 30 and will pass thepassword to encryption software 28 or to hardware encryption engine 33depending on the configuration of attached data storage device 11.

In another variation of the network embodiment of the invention, a webserver 40 which will reside on a wide area network such as the internetas shown in FIG. 3 with web server software 41 that performs a series ofactions resulting in encrypted file or partition 21 being created onattached data storage device 11. In this variation of the networkembodiment, the user may connect attached data storage device 11 whichat the time of connection contains no data, to personal computer 13 viadata bus 12. The user may connect to web server 40 which will cause webserver software to push down escrow software program 22, system monitor29, encryption software 28, and escrow password file 27 to systemstorage 26 residing on personal computer 13. In this embodiment webserver software 41 will retrieve a predetermined set of data objectsfrom personal computer 13 of which some or all are not under the controlof the user such as the serial number of the microprocessor on personalcomputer 13, the ID of the user who is currently logged onto personalcomputer 13, the ID or serial number of attached data storage device 11,and/or any other unique data items that have been predetermined toconstitute the key from personal computer 13 and formulate a key withwhich to encrypt a password that has been randomly generated by webserver 40. After the password has been encrypted thereby creating escrowpassword file 27 it will be pushed down to personal computer 13 viainternet 42 and saved in system storage 26. Web server software 41 maycreate and download encrypted file or partition 21 in which caseencrypted file or partition 21 will be a file which will be saved onattached data storage device 11. Web server 40 may also, via web serversoftware 41, format attached data storage device 11 in real time suchthat encrypted file or partition 21 is an encrypted partition.

In another variation of this embodiment, escrow software program 22 andencryption software 28 are moved to attached data storage device 11after they are pushed down to personal computer 13 by web server 40. Inthis embodiment, system monitor 29 and escrow password file 27 will notbe created by web server software 41. In this embodiment of theinvention, the user will, after encrypted file or partition 21, escrowsoftware program 22, and encryption software 28 have been moved toattached data storage device 11, un-attach and re-attach attached datastorage device 11 to personal computer 13 at which time the process willbe identical to that described in the basic embodiment of the inventionabove.

1. A method and apparatus for a user to selectively and securely escrowan encryption password or key to a file residing on a processor basedcomputing device, where said escrowed password or key can be used forautomatically unlocking one or more encrypted files or partitionslocated on an externally attachable data storage device connected tosaid processor based computing device such that the password need onlybe optionally provided by the user at least once on said selectedprocessor based computing device and comprising: a. An externallyattachable data storage device containing one or more encrypted files orpartitions; b. an encryption software program or hardware encryptionmodule residing on said externally attachable data storage device whichis used for unlocking or locking selected encrypted files or partitionscontained on the attachable data storage device and also may be used fordecrypting data read from selected encrypted files or partitions, andencrypting data to be written to encrypted files or partitions residingon said externally attachable data storage device; c. an escrowingsoftware program for managing the secure escrowing of an encryptionpassword or key, said escrowing software program residing on saidexternally attached data storage device containing said encrypted filesor partitions; d. said escrowing software program will offer said userthe option to securely escrow or save said encryption password or key tosaid processor based computing device to which said external datastorage device is attached; e. said password or key is then encryptedusing an encryption key constructed with a plurality of unique data ofwhich some or all is not under the control of, nor specified by saiduser and consisting of, but not limited to unique characteristics ofsaid external data storage device and said processor based computingdevice; f. said password or key is then securely escrowed on saidprocessor based computing device; g. said escrow software program willthen pass said password or key to said encryption software program orhardware encryption module to unlock said encrypted files or partitionsresiding on said attached external data storage device; h. on subsequentinsertions of said attached external storage device, if said user hadindicated to said escrow software program that said password or key wasto be remembered, said escrow software program will retrieve saidpassword or key by reconstructing said encryption key from the pluralityof unique data used to encrypt said password or key and decrypting saidencrypted password or key without said user intervening, said passwordor key then being passed to said encryption software program or hardwareencryption module and automatically unlocking the selected encryptedfiles or partitions without the need for the user to insert theencryption password or key.
 2. A method and apparatus for a user toselectively and securely escrow an encryption password or key to a fileresiding on a network, said network connected wired or wirelessly to auser's processor based computing device, where said escrowed password orkey can be used for automatically unlocking one or more encrypted filesor partitions located on an externally attachable data storage deviceconnected to said processor based computing device such that thepassword need only be optionally provided by the user at least once onsaid selected processor based computing device and comprising: a. Anexternally attachable data storage device containing one or moreencrypted files or partitions; b. an encryption software program orhardware encryption module residing on said externally attachable datastorage device which is used for unlocking or locking selected encryptedfiles or partitions contained on the attachable data storage device andalso may be used for decrypting data read from selected encrypted filesor partitions, and encrypting data to be written to encrypted files orpartitions residing on said externally attachable data storage device;c. an escrowing software program for managing the secure escrowing of anencryption password or key, said escrowing software program residing onsaid externally attached data storage device containing said encryptedfiles or partitions; d. said escrowing software program will offer saiduser the option to securely escrow or save said encryption password orkey to said file residing on said network, said network connected tosaid processor based computing device to which said external datastorage device is attached: e. said password or key is then encryptedusing an encryption key constructed with a plurality of unique data ofwhich some or all is not under the control of nor specified by said userand consisting of, but not limited to unique characteristics of saidexternal data storage device, said processor based computing device,said network environment and/or the network domain to which said user isassigned; f. said password or key is then securely escrowed on said fileresiding on said network; g. said escrow software program will then passsaid password or key to said encryption software program or hardwareencryption module to unlock said encrypted files or said partitionsresiding on said attached external data storage device; h. on subsequentinsertions of said attached external storage device, if said user hadindicated to said escrow software program that said password or key wasto be remembered, said escrow software program will retrieve saidpassword or key by reconstructing said encryption key from saidplurality of unique data used to encrypt said password or key anddecrypting said encrypted password residing in said file on said networkwithout said user intervening, said password or key then being passed tosaid encryption software program or said hardware encryption module andautomatically unlocking said encrypted files or partitions without theneed for the user to enter said encryption password or key.
 3. A methodand apparatus for a user to selectively and securely escrow anencryption password or key to a file residing on a processor basedcomputing device, where said escrowed password or key can be used forautomatically unlocking one or more encrypted files, folders orpartitions located on a local area network attached to said processorbased computing device such that the password need only be optionallyprovided by the user at least once on said selected processor basedcomputing device and comprising: a. a local area network with at least afirst storage device containing one or more encrypted files, folders orpartitions; b. an encryption software program residing on said localarea network which is used for unlocking or locking selected encryptedfiles or partitions contained on said local area network and also may beused for decrypting data read from selected encrypted files, folders orpartitions, and encrypting data to be written to encrypted files,folders or partitions residing on said local area network; c. anescrowing software program for managing the secure escrowing of anencryption password or key, said escrowing software program residing onsaid processor based computing device; d. said escrowing softwareprogram will offer said user the option to securely escrow or save saidencryption password or key to said processor based computing deviceattached to said local area network; e. said password or key is thenencrypted by said escrowing software program using an encryption keyconstructed with a plurality of unique data of which some or all is notunder the control of, nor specified by said user and consisting of, butnot limited to unique characteristics of said local area network andsaid processor based computing device; f. said password or key is thensecurely escrowed in a file residing on said processor based computingdevice; g. said escrow software program will then pass said password orkey to said encryption software program to unlock said encrypted filesor partitions residing on said local area network storage; h. onsubsequent connection to said local area network storage, if said userhad indicated to said escrow software program that said password or keywas to be remembered, said escrow software program will retrieve saidpassword or key by reconstructing said encryption key from the pluralityof unique data used to encrypt the password or key and decrypting saidencrypted password or key without said user intervening, said passwordor key then being passed to said encryption software program andautomatically unlocking the selected encrypted files or partitionswithout the need for the user to enter the encryption password or key.4. A method and apparatus for a company department to securely escrow anencryption password or key to a secure escrow file that will be placedon an assigned user's processor based computing device connected to acompany local area network, where said escrowed password or key is usedfor automatically unlocking one or more encrypted files or partitionslocated on an externally attachable data storage device connected tosaid user's processor based computing device comprising: a. a companydepartment or group that manages computer systems and data securitywithin a company; b. An externally attachable data storage device thatwill contain one or more encrypted files or partitions, said attachabledata storage device may contain a hardware encryption engine forunlocking or locking selected encrypted files or partitions contained onsaid attachable data storage device and also may be used for decryptingdata read from selected encrypted files or partitions, and encryptingdata to be written to encrypted files or partitions residing on saidexternally attachable data storage device; c. an encryption softwareprogram used for unlocking or locking selected encrypted files orpartitions contained on said attachable data storage device and also maybe used for decrypting data read from selected encrypted files orpartitions, and encrypting data to be written to encrypted files orpartitions residing on said externally attachable data storage device;d. an escrowing software program for managing the secure escrow file ofan encryption password or key; e. said company department will generatea password or key to be used for unlocking said encrypted files orpartitions that will reside on said attachable data storage device; f.said company department will access said user's processor basedcomputing device and collect a plurality of unique data of which some orall is not under the control of, nor specified by said user andconsisting of, but not limited to unique characteristics of saidexternal data storage device, said local area network and said processorbased computing device g. said password or key is then encrypted usingan encryption key constructed with said plurality of unique data thusforming a secure escrow file; h. said company department will then placesaid secure escrow file on said processor based computing deviceattached to said local area network; i. said company department willcreate an encrypted file or partition on said attachable data storagedevice using said password or key as the encryption key for saidencrypted file or partition; j. if said attachable data storage devicedoes not contain a hardware encryption engine, said company departmentwill then place an encryption software program on said user's processorbased computing device, said encryption software program will be usedfor unlocking or locking selected encrypted files or partitionscontained on said attachable data storage device and also may be usedfor decrypting data read from selected encrypted files or partitions,and encrypting data to be written to encrypted files or partitionsresiding on said externally attachable data storage device; k. saidcompany department will then give said user said attachable data storagedevice; l. when said user connects said attachable data storage deviceto his said processor based computing device and said processor basedcomputing device recognizes the presence of said attachable data storagedevice said escrow software program will be launched and said escrowsoftware program will retrieve said password or key by reconstructingsaid encryption key from the plurality of unique data used to encryptsaid password or key and decrypting said encrypted password or keywithout said user intervening, said password or key then being passed tosaid encryption software program or hardware encryption module andautomatically unlock said selected encrypted files or partitions withoutthe need for the user to insert the encryption password or key.
 5. Amethod and apparatus for a user to acquire a one or more secure files orpartitions from a web site along with the software necessary to createand manage a secure escrow file containing a password or key used forautomatically unlocking one or more encrypted files or partitions thatwill be located on an externally attachable data storage deviceconnected to said user's processor based computing device comprising: a.a web site accessed by a user via the internet that delivers softwaremodules that will be downloaded or pushed to a user's processor basedcomputer system and one or more secure files or partitions that will becreated or placed onto an attachable data storage device; b. Anexternally attachable data storage device that will contain one or moreencrypted files or partitions, said attachable data storage device maycontain a hardware encryption engine for unlocking or locking selectedencrypted files or partitions contained on said attachable data storagedevice and also may be used for decrypting data read from selectedencrypted files or partitions, and encrypting data to be written toencrypted files or partitions residing on said externally attachabledata storage device; c. an encryption software program used forunlocking or locking selected encrypted files or partitions contained onsaid attachable data storage device and also may be used for decryptingdata read from selected encrypted files or partitions, and encryptingdata to be written to encrypted files or partitions residing on saidexternally attachable data storage device; d. an escrowing softwareprogram for managing the secure escrow file of an encryption password orkey that will reside on user's said processor based computing device; e.said web site will generate a password or key to be used for unlockingsaid encrypted files or partitions that will reside on said attachabledata storage device; f. said web site will access said user's processorbased computing device and collect a plurality of unique data of whichsome or all is not under the control of, nor specified by said user andconsisting of, but not limited to unique characteristics of saidexternal data storage device, and said processor based computing device;g. said password or key is then encrypted using an encryption keyconstructed with said plurality of unique data thus forming a secureescrow file; h. said web site will then place said secure escrow file onsaid processor based computing device attached to said web site via theinternet; i. said web site will create an encrypted file or partition onsaid attachable data storage device using said password or key as theencryption key for said encrypted file or partition by downloading saidencrypted file or partition or by creating said encrypted file orpartition in real time on said attachable data storage device connectedto user's said processor based computer device; j. if said attachabledata storage device does not contain a hardware encryption engine, saidweb site will then place an encryption software program on said user'sprocessor based computing device, said encryption software program willbe used for unlocking or locking selected encrypted files or partitionscontained on said attachable data storage device and also may be usedfor decrypting data read from selected encrypted files or partitions,and encrypting data to be written to encrypted files or partitionsresiding on said externally attachable data storage device; k. when saiduser connects said attachable data storage device to his said processorbased computing device and said processor based computing devicerecognizes the presence of said attachable data storage device saidescrow software program will be launched and said escrow softwareprogram will retrieve said password or key by reconstructing saidencryption key from the plurality of unique data used to encrypt saidpassword or key and decrypting said encrypted password or key withoutsaid user intervening, said password or key then being passed to saidencryption software program or hardware encryption module andautomatically unlock said selected encrypted files or partitions withoutthe need for the user to insert the encryption password or key.
 6. Themethods and apparatus' of any one of claims 1, 2, 4 or 5 where saidattachable data storage device is any of but not limited to thefollowing: a. Flash memory drive; b. Rotating magnetic hard disk drive;c. WORM optical or magnetic disk drive; d. Optical write once diskdrive; e. Optical read/write disk drive.
 7. Any of the methods andapparatus' of any one of claims 1, 2, 4 or 5 where said attachablestorage device is connected to said processor based computing devicethrough any but not limited to the following buses: a. Universal SerialBus (USB) b. IEEE-1394 (Firewire) c. Wireless USB d. Wireless Bluetoothe. Wireless 802.11 f. Thunderbolt interface
 8. The methods andapparatus' of any of claims 1, 2, 4 or 5 where said attachable storagedevice contains a hardware based encryption engine where the saidpassword or key is passed to the said hardware based encryption engineby said escrow software program.